I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so I configured forwarding for all audit logs to remote server due to which /var/log in the remote syslog server is getting full frequently. I have 2 ways to fix this problem but I cannot find a technical solution for either.
- Log the events of that specific rule to a separate log file or if possible, directly to the remote syslog server
- Forward the audit logs generated by that specific rule only to remote syslog server
Any other solution is much appreciated.